SQL "Worst Practice SA password"
-
Received an email letter that listed "SQL Worst practices". Why was this one included?
- Running SQL Server in mixed-authentication mode without a NULL
password for the systems administrator (sa) account.
Without a NULL? Is he saying the "sa" should be NULL in mixed-mode? I'm mixed up.
TIA,
Bill
-
I would hope the without should have been with. Running without a password isn't smart, even in development. There's even been a worm developed to exploit this.
K. Brian Kelley
http://www.sqlservercentral.com/columnists/bkelley/
K. Brian Kelley
@kbriankelley -
Hopefully it wasn't our email newsletter?
I agree with Brian. In ANY environment, ALL accounts SHOULD HAVE a password.
Steve Jones
-
Steve,
It was in the January 31st edition of
********************
SQL Server Magazine UPDATE--brought to you by SQL Server Magazine
********************
1. ==== COMMENTARY ====
* WORST PRACTICES REVEALED
Greetings,
Two weeks ago, I asked for your help in creating a comprehensive list
of SQL Server "worst practices." I thought this task would be a fun
twist on the annual tradition of making New Year's resolutions, and I
hoped that all of us could learn something along the way.
I know that talking about best practices--what you SHOULD do--is more
politically correct. But the world would be a happier place to work and
live in if we found a way to avoid the common mistakes we make day in
and day out.
I've received a lot of support for this endeavor, and you've sent a
great compilation of worst practices. The first group of worst-
practices items is below. As the list grows, I hope it will serve as a
reminder to experienced SQL Server professionals to avoid these common
mistakes. I suspect that the list will also become a resource for SQL
Server beginners as they learn the ropes. As the list grows, I'll
occasionally publish some of the latest and greatest worst practices in
this newsletter. I'll also find a location on the SQL Server Magazine
Web site to post the list so I can keep it up-to-date.
The items in the following list appear in no particular order of
importance, and I've liberally mixed administration and development
worst practices.
Worst Practices:
- Making production changes without testing them in a quality-
assurance environment just because it's easier and saves time.
- Running SQL Server in mixed-authentication mode without a NULL
password for the systems administrator (sa) account.
- Using inconsistent and arcane naming conventions for tables and
columns.
- Assuming someone else is doing the backup.
- Assuming that the backup can be restored even though you've never
tested your recovery plan.
- Allowing NULL columns just because you're too lazy to figure out
column defaults and constraints.
- Hard-coding your applications to connect using sa.
Needless to say, I've never personally made ANY of these horrifying
mistakes. But I have a friend who admits to making them from time to
time. This list is far from comprehensive, so keep your suggestions
coming!
Brian Moran, SQL Server Magazine UPDATE News Editor, brianm@sqlmag.com
~~~~ SPONSOR: SQL SERVER MAGAZINE LIVE! ~~~~
SQL Server Magazine LIVE! brings to life the industry's most popular
and authoritative SQL Server publication with more than 50 in-depth
technical sessions. You'll learn about best practices and the latest
technologies from such SQL Server Magazine editors as Kalen Delaney,
Michael Otey, William Vaughn, Brian Moran, and Microsoft's Richard
Waymire as well as from industry experts such as Mike Hotek, Steve
Wynkoop, Mark Scott, Craig Utley, and many others. SQL Server Magazine
LIVE! features sessions about SQL Server development and performance
tuning, ADO.NET and other key .NET technologies, replication, Data
Transformation Services (DTS), data warehousing and analysis, the
future of the DBA, and much more! To register or for more information,
visit the following URL:
http://lists.sqlmag.com/cgi-bin3/flo?y=eKX30CObCy0BRZ0pLK0AY
~~~~~~~~~~~~~~~~~~~~
-
You are correct, sir. Time to email someone.
K. Brian Kelley
http://www.sqlservercentral.com/columnists/bkelley/
K. Brian Kelley
@kbriankelley -
Shows you which newsletter you SHOULD be watching and which one you SHOULD NOT!
Steve Jones
-
Well, I've sent a message off to Mr. Moran. I'm sure it was a typo.
BTW, articles by Steve and Andy on Worst Practices start here:
http://www.sqlservercentral.com/columnists/awarren/worstpracticespart1ofaverylongseries_1.asp
The latest one (which has links to the predecessors) is the following:
http://www.sqlservercentral.com/columnists/sjones/wp_encryption.asp
K. Brian Kelley
http://www.sqlservercentral.com/columnists/bkelley/
K. Brian Kelley
@kbriankelley -
From the newest SQL Server Magazine UPDATE newsletter:
quote:
A final note: Oops! Last week's worst-practices commentary contained aone-word typo that had major ramifications. I listed one of the worst
practices as "Running SQL Server in mixed-authentication mode without a
NULL password for the systems administrator (sa) account."
Fortunately, more than 100 eagle-eyed readers pointed out my error.
I'm sorry that I wasn't able to respond to everyone individually, but,
yes, the worst practice should have read "Running SQL Server in mixed-
authentication mode with a NULL password for the systems administrator
(sa) account."
Brian Moran, SQL Server Magazine UPDATE News Editor, brianm@sqlmag.com
K. Brian Kelley
http://www.sqlservercentral.com/columnists/bkelley/
K. Brian Kelley
@kbriankelley -
But isn't so much simpler to remember the password when it is NULL.
-
drowssap is pretty easy, too.
K. Brian Kelley
http://www.sqlservercentral.com/columnists/bkelley/
K. Brian Kelley
@kbriankelley -
-
So is nimda but I already dealt with that.
-
Nimda was a pain, but it shouldn't have been as big a problem as it turned out to be. In almost every case if a server had been properly secured after Code Red and Code Red II, there wasn't an issue. As it is, I can review my web logs and still see the tell-tale signs of all three.
K. Brian Kelley
http://www.sqlservercentral.com/columnists/bkelley/
K. Brian Kelley
@kbriankelley
Viewing 13 posts - 1 through 12 (of 12 total)
You must be logged in to reply to this topic. Login to reply